SharePoint Anti-Keylogger

The SPS AKL (SharePoint Portal Server Anti-Key Logger) is an application meant to facilitate keylogger detection routines by leveraging windows services, along with removal, and recommended preventions options through multiple modules. There are three main modules that complete the system.

Check Process Service Module – Runs against the current services located on the machine to detect whether a keylogger is present on the target machine

Detected Keylog Attempt Module and Actions Management – A management interface for if and when a keylogger is detected on one of your SharePoint machines. It will provide you insight into the keylogger, and options available to work with the malware.

Keyloggers are becoming commonplace methods for intruders to gain access to unauthorized systems by recording user keystrokes as they occur on the arbitrary machine, or in our case, our SharePoint Portal or Windows SharePoint Services server. Protecting your server from keyloggers is a fairly crucial measure in any security structure, ensuring your full control of your machines without worrying about compromising it to hackers. Keyloggers can exist on two different levels, both on a hardware and software level. There are a range of available hardware keyloggers, ranging from those which are fairly easily to detect such as those that attach inline between the keyboard cable and those which bind to a port where the keyboard is installed, or those which are placed directly into the keyboard or laptop machine. Retrieving the data from the target machine can vary heavily depending on the application used, which has its own implications. The most common way is to slip a trojan or other remote access application that allows the user direct access to the machine to query the log generated by the keylogger. Because SharePoint machines are often hooked into MS exchange servers, typically the information can automatically be sent via using email, which is slightly more elegant than the former technique because it lessens the trail detection and gives less evidence to forensic computer analysts. Keyloggers at first glance appear to be for malicious purposes, but this is not entirely the case. Against the authors ethics and beliefs, as well as several others, various corporations have been installing hard keyloggers into their machines to capture exact employee activity and report on arbitrary data. The laws regarding this are fairly blatant, as it is typically the companies property any and all information that is created, stored, or possibly sent from the host machine remains the property of company (this is a fairly grey issue) and therefore there are no legal ramifications that prevent organizations from doing so. The FBI has even been known to leverage keylogging technology to break down encrypted communications by those participating in illegal activity (the most famous of which, is Magic Latern). Securing your SharePoint environment for keylogger is as important as web and network layer security. The SPS AKL is composed of two main modules that help you harden your SharePoint environment, one for detection and another for management. The central processing portions are kept as a windows service that will need to be installed.

In order to install the Anti-Keylogger service:
Select Start
Choose Run
Enter the following command: C:\ProgramFiles\ARB Security Solutions\SPS AKL\SharePoint AKL Service.exe /INSTALL

This will allow you to manage the services from the services.msc Snap-In, where you should be able to control it at a more granular level in regards to starting options. Once you have the service installed, the other tools are easy to use. Select the SPS AKL from the programs flyout, and you will notice a new item is appended to your task bar. From here you can either check the current processes for keyloggers, or you can bring up the main interface which will allow you to resolve keylogging issues.

From the icon, you can bring up the selection interface by right clicking on it

It is suggested to just leave the interface in the task bar state in so that you can receive notifications regarding keyloggers as they arise.